Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
5.2. Using Identity Management for Authentication
Satellite 5 now offers authentication through an IdM or IPA server, which provides support for:
- Kerberos authentication in the WebUI
- Users do not need to be pre-created in Satellite database
- The PAM authentication can be enabled for all users
- User roles can be derived from user group membership in the external identity provider
- System Groups administrators can be derived from user group membership in the external identity provider per Organization
Note
IPA authentication configuration only works with Satellite 5's Web UI. Client tools like
rhn_register, rhnreg_ks, spacecmd, rhncfg-manager and the Satellite 5 API can not use IPA authentication.
5.2.1. Requirements
Copiar enlaceEnlace copiado en el portapapeles!
Satellite Authentication through IPA has the following requirements:
- A configured Satellite Server. The following instructions will use the hostname
satellite.example.comto denote the Satellite server. - A configured IPA/IdM Server on Red Hat Enterprise Linux 6 or 7. The following instructions will use the hostname
ipa.example.comto denote the IPA server. - Installation of additional packages on the Satellite server. Use the following command to install these packages from the standard Red Hat Enterprise Linux 6 and 7 repositories:
yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -y
[root@satellite ~]# yum install ipa-client ipa-admintools sssd sssd-dbus mod_auth_kerb mod_authnz_pam mod_lookup_identity mod_intercept_form_submit -yCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The latest version of the
selinux-policypackage to ensure the latest SELinux Booleans are added. You can update this package with the following command:yum update selinux-policy -y
[root@satellite ~]# yum update selinux-policy -yCopy to Clipboard Copied! Toggle word wrap Toggle overflow
5.2.2. Enrolling the Satellite Server
Copiar enlaceEnlace copiado en el portapapeles!
Enrol the Satellite server with the IPA server using the
ipa-client-install command. This will step through the required configuration options to enrol the Satellite server.
When complete, the Satellite server acts as an client using the IPA Server details.
The IPA server also requires a HTTP Service for the Satellite server. Authenticate the Satellite server against the IPA server with the admin user and run the
ipa service-add command:
5.2.3. Using the IPA Authentication Setup Tool
Copiar enlaceEnlace copiado en el portapapeles!
Satellite contains a tool called
spacewalk-setup-ipa-authentication, which configures your Satellite server to use IPA Authentication. The tool performs the following steps:
- Configures Kerberos authentication on the Satellite server
- Configures SSSD services on the Satellite server
- Configures Satellite webservers to communicate with SSSD and observe PAM authentication
Run the command on the Satellite server to start the configuration:
spacewalk-setup-ipa-authentication
[root@satellite ~]# spacewalk-setup-ipa-authentication
5.2.4. Finalizing Authentication Configuration
Copiar enlaceEnlace copiado en el portapapeles!
Log in as the Satellite administration user and navigate to
Users can now login to Satellite using their IPA credentials.
5.2.5. Configuring IPA to Use Multiple Organizations (Optional)
Copiar enlaceEnlace copiado en el portapapeles!
The IPA server contains a parameter for the Organizational Unit for each user. Satellite can use this value to map to its own Organizations. This adds specific users to Organizations based upon the Organizational Unit value (
ou) in the IPA server.
Log in as the Satellite administration user and navigate to
Satellite now adds users to Organizations based on each user's Organizational Unit in the IPA server. Users with no Organizational Unit are assigned to the default organization.
5.2.6. Configuring IPA to Use Groups (Optional)
Copiar enlaceEnlace copiado en el portapapeles!
The IPA server contains parameters for Groups, which Satellite can map to roles. This provides a method to use role-based permissions for IPA users.
Log in as the Satellite administration user and navigate to
- External Group Name - Enter the name of the group from the IPA server.
- Administrative Roles and Roles - Select roles to assign to the group. For example, assign the Channel Administrator.
Click Create to complete the group creation.
Satellite now assigns permissions to users based on each user's IPA groups.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}